Hi John,
On 1/12/06, John Kemp <john.kemp@nokia.com> wrote:
> Firewalls certainly come in different varieties, and some will be
> smarter than others. But as something to which a SOAP message has
> been dispatched (whether it's a SOAP request or a SOAP response) why
> is it any more of a security risk to be dispatched a (SOAP) request
> message that was in response to an (HTTP) message I sent than it is
> to get a SOAP response to a SOAP request I sent?
Because only requests are attempts to access services, and it's access
to services that a firewall is trying to mediate.
> From a course-
> grained firewall (one that doesn't inspect the contents of the HTTP
> response I guess) perspective, the HTTP response is still related to
> the request that was sent, and the HTTP response is sent back to the
> agent that initiated the HTTP request -- in both cases.
"Related" isn't sufficient information for the firewall to do its job.
>
> Speaking only to the PAOS question, I would note that the user agent
> receiving the HTTP response here will have explicitly advertised the
> service it offers specifically to the HTTP server with which it is
> interacting (via the PAOS HTTP header, during the HTTP request),
> making this more secure in some respects than the reception of an
> unsolicited SOAP request, which was not initiated by some action at
> the associated user agent (such as the user explicitly requesting
> some URL).
It makes it more visible to intermediaries that know to look for that
feature, enabling them to recognize the related incoming request if
they want to ... which is all well and fine, but no help at all to the
millions of existing firewalls which rely *only* on HTTP semantics to
distinguish request and response.
Mark.